In a letter Thursday to FTC Chairman Joseph Simons, Sen. Ron Wyden (D-Ore.) and Sen. Elizabeth Warren (D-Mass.) contend that Amazon was aware of the dangers of a server-side request forgery flaw - the type security vulnerability that lead to the breach - as far back as 2014.

The letter to the FTC

"Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks," they write. "Although Amazon's competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective cloud computing services to businesses, government agencies and to the general public."

Amazon officials couldn't immediately be reached for comment. But the company told The Wall Street Journal that the letter marked a "baseless and a publicity attempt from opportunistic politicians." It dismissed the importance of the SSRF issue in Capital One's breach, saying that "was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems, and could have been substituted for a number of other methods."

SSRF: Gaining Credentials

Capital One's data breach sent a wave of fear through the financial sector. The company has aggressively embraced technology, including cloud computing.

But secure cloud computing also depends much on the service provider. Amazon draws strict lines over what is its responsible and what its clients are responsible for maintaining. Still, cloud computing is a relatively new field, and the security requirements and controls are ever changing, which can prove challenging for administrators.

Amazon has indicated errors on the part of Capital One led to the breach. The breach exposed more than 106 million customer financial records, including credit card applications, in the U.S. and Canada, dating back to 2005.

Paige A. Thompson, 33, of Seattle, who was arrested and charged in connection with the breach, has pleaded not guilty. Thompson, who worked for about a year Amazon in its web services and storage division, is additionally accused of stealing data from more than 30 other businesses and organizations (see: Alleged Capital One Hacker Pleads Not Guilty).

Federal investigators believe this is Paige A. Thompson's Twitter account, which is now suspended.

An SSRF attack involves tricking a server into accessing a resource it shouldn't be touching on behalf of the attacker. In the Capital One breach, it appears the company misconfigured a firewall and also allotted too many permissions to it. Then, it is believed the attacker successfully exploited an SSRF vulnerability to gain credentials for a role via AWS's metatdata service, which doles out fresh credentials (see Capital One's Breach May Be a Server Side Request Forgery).

From there, the attacker listed the storage buckets behind the firewall and copied more than 700 folders hosted on Amazon's S3, security experts believe.

Amazon: 'Humans Make Mistakes'

Amazon likely knew that AWS was vulnerable to SSRF "since the first high-profile demonstration by a cybersecurity researcher in 2014, the company has certainly known since mid-2018 at the latest," Wyden and Warren allege.

"In August of 2018, Amazon's security team was contacted by email by a cybersecurity expert who recommended that Amazon adopt the same cybersecurity defense against SSRF attacks already used by Google and Microsoft," they write.

The letter includes redacted emails from late August sent to Amazon by someone who warned that it should use host headers like Google does in order to protect AWS metadata services.

The email warning to Amazon

In response to an earlier inquiry from Wyden, Amazon told him in a letter on Aug. 13 that "we are not aware of any other noteworthy SSRF compromises of AWS customers. It's possible that there have been small numbers of these that haven't been escalated to us, but none that we have confirmed at any significant scale beyond Capital One."

Amazon maintained that the first line of defense is a properly configured firewall. Also, Amazon says it gives its customers clear guidance on how to protect themselves from SSRF attacks. "We also offer our own AWS web application firewall, which has expansive capabilities through which customers can completely block SSRF and other attacks," it said.

Amazon said Capital One is a "sophisticated and thoughtful company" but "sometimes humans make mistakes."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;